
    <!DOCTYPE HTML>
    <html lang="en" data-template="post-page">
    <head>
        
        
            <link rel="preload" as="script" href="/etc/designs/fortinet/adb-target/at.js"/>
            <script>

                   ;(function(win, doc, style, timeout) {
                   var STYLE_ID = 'at-body-style';
                   function getParent() {
                      return doc.getElementsByTagName('head')[0];
                   }
                   function addStyle(parent, id, def) {
                      if (!parent) {
                      return;
                      }
                      var style = doc.createElement('style');
                      style.id = id;
                      style.innerHTML = def;
                      parent.appendChild(style);
                   }
                   function removeStyle(parent, id) {
                      if (!parent) {
                      return;
                      }
                      var style = doc.getElementById(id);
                      if (!style) {
                      return;
                      }
                      parent.removeChild(style);
                   }
                   addStyle(getParent(), STYLE_ID, style);
                   setTimeout(function() {
                      removeStyle(getParent(), STYLE_ID);
                   }, timeout);
                   }(window, document, "body {opacity: 0 !important}", 3000));
                </script>

            <script type="text/plain" class="optanon-category-C0003" src="/etc/designs/fortinet/adb-target/at.js"></script>
        
        
    <meta charset="UTF-8"/>
    <title>Condi DDoS Botnet Spreads via TP-Link&#39;s CVE-2023-1389 | FortiGuard Labs</title>
    <meta name="keywords" content="FortiGuard Labs Threat Research,botnet,DDoS attacks"/>
    <meta name="description" content="FortiGuard Labs encountered recent samples of a DDoS-as-a-service botnet calling itself Condi. It attempted to spread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389, which was disclosed in mid-March of this year. Read more. "/>
    <meta name="template" content="post-page"/>
    

    <meta name="viewport" content="width=device-width, initial-scale=1"/>


<meta name="google-site-verification" content="tiQ03tSujT2TSsWJ6tNHiiUn8cwYVmdMQrGUCNrPQmo"/>

<meta property="og:site_name" content="Fortinet Blog"/>
<meta property="og:title" content="Condi DDoS Botnet Spreads via TP-Link&#39;s CVE-2023-1389 | FortiGuard Labs"/>
<meta property="og:url" content="https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389"/>
<meta property="og:type" content="article"/>
<meta property="og:description" content="FortiGuard Labs encountered recent samples of a DDoS-as-a-service botnet calling itself Condi. It attempted to spread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389,…"/>
<meta property="og:image" content="https://www.fortinet.com/content/dam/fortinet-blog/article-images/DDOS-HERO-19.jpg"/>

<meta property="twitter:card" content="summary"/>
<meta property="twitter:site" content="@Fortinet"/>

<meta property="article:author" content="Joie Salvio and Roy Tay"/>

    <meta property="article:section" content="FortiGuard Labs Threat Research"/>


    <meta property="article:published_time" content="2023-06-20T12:07:00.000-07:00"/>


    <meta property="article:tag" content="botnet"/>

    <meta property="article:tag" content="DDoS attacks"/>


<link rel="shortcut icon" href="/etc/designs/fortinet-blog/favicon.ico"/>
<link rel="canonical" href="https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389"/>






    
<link rel="stylesheet" href="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.css" type="text/css">






<!-- SEO Script -->




<!-- OneTrust Cookies Consent Notice start for fortinet.com -->



    <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" data-document-language="true" type="text/javascript" charset="UTF-8" data-domain-script="f85f39fc-d7aa-467a-b762-fbb722748016"></script>
    <script type="text/javascript">

function OptanonWrapper() {
    {
       try{
            $('#cookiescript_injected').remove(); // remove old cookie script
        }catch(e){}
        window.dataLayer.push({
            event: 'OneTrustGroupsUpdated'
        });
        Optanon.InsertScript('//assets.adobedtm.com/launch-EN23cb8375449840dc93b13f34d935b8b9.min.js','head',null, null, '1',true);
    }
}

</script>


<!-- OneTrust Cookies Consent Notice end for fortinet.com -->
    
    
    

    
    

    
    
    
    

    

    

    

    

    


        
            
                
                <!-- BE IXF: BE IXF: Place getHeadOpen just inside of the head tag -->
                
                
<!-- be_ixf, sdk, gho-->
<meta name="be:sdk" content="java_sdk_1.6.7" />
<meta name="be:timer" content="33ms" />
<meta name="be:norm_url" content="https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389" />
<meta name="be:capsule_url" content="https://ixfd-api.bc0a.com/api/ixf/1.0.0/get_capsule/f00000000216283/721361672" />
<meta name="be:api_dt" content="pny_2023; pnm_06; pnd_09; pnh_04; pnmh_57; pn_epoch:1686311833280" />
<meta name="be:mod_dt" content="pny_1969; pnm_12; pnd_31; pnh_16; pnmh_00; pn_epoch:0" />
<meta name="be:orig_url" content="https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389" />
<meta name="be:messages" content="75246" /><style>
.be-ix-link-block{clear:both}
.be-ix-link-block .be-related-link-container{padding-bottom:20px}
.be-ix-link-block .be-related-link-container .be-label,.be-ix-link-block .be-related-link-container .be-list{font-size:.7619rem;font-family:"HelveticaNeueW01-75Bold",Helvetica,Arial,sans-serif}
.be-ix-link-block .be-related-link-container .be-label{margin:0;color:#5a646c}
.be-ix-link-block .be-related-link-container .be-list{list-style:none;margin:0;padding:0}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{margin:0;padding:0;font-family:"HelveticaNeueW01-45Roma",Helvetica,Arial,sans-serif;font-size:.7619rem}
.be-ix-link-block .be-related-link-container .be-list .be-list-item a{color:#5a646c;font-family:"HelveticaNeueW01-45Roma",Helvetica,Arial,sans-serif}
@media (max-width: 767px) {
.be-ix-link-block .be-related-link-container{padding:0 10px}
.be-ix-link-block .be-related-link-container .be-label{width:100%}
.be-ix-link-block .be-related-link-container .be-list{display:block;width:100%}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{display:block}
.be-ix-link-block .be-related-link-container .be-list .be-list-item:last-child{margin-bottom:0}
}
@media (min-width: 768px) {
.be-ix-link-block .be-related-link-container{display:flex}
.be-ix-link-block .be-related-link-container .be-label{display:inline-block;margin-right:20px;flex-basis:130px;flex-grow:0;flex-shrink:0}
.be-ix-link-block .be-related-link-container .be-list{display:inline-block;width:auto}
.be-ix-link-block .be-related-link-container .be-list .be-list-item{display:inline-block;margin-right:20px}
.be-ix-link-block .be-related-link-container .be-list .be-list-item:last-child{margin-right:0}
}
</style>


<script data-cfasync="false" id="marvel" data-customerid="f00000000216283" src="https://marvel-b2-cdn.bc0a.com/marvel.js"></script>

            
        



    </head>
    <body>
    



    
<div class="root responsivegrid">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="b1-header aem-GridColumn aem-GridColumn--default--12">


<header class="b1-header__container">
    <div class="b1-header__logo">
        <a href="https://www.fortinet.com">
            
            <img class="desktop-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet home"/>
            <img class="mobile-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet home"/>
        </a>
    </div>

    <div class="b1-header__cta-list">
      <a class="b1-header__cta-list-item " href="https://www.fortinet.com/blog">
          <span>Blog</span>
      </a>
    </div>

    <div class="b1-header__nav"><div class="b2-navigation">




    <ul class="b2-navigation__list">
        
            <li class="b2-navigation-categories"><div class="b2-navigation__list-item nav-dropdown-title">Categories</div>
                <ul class="navdropdown">
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/business-and-technology">
                                <span>Business &amp; Technology </span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/threat-research">
                                <span>FortiGuard Labs Threat Research</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/industry-trends">
                                <span>Industry Trends</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/partners">
                                <span>Partners</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/customer-stories">
                                <span>Customer Stories</span>
                            </a>
                        </li>
                    
                
                    
                        <li>
                            <a class="b2-navigation__dropdown__list-item" href="/blog/psirt-blogs">
                                <span>PSIRT Blogs</span>
                            </a>
                        </li>
                    
                </ul>
            </li>

        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/business-and-technology">
                    <span>Business &amp; Technology </span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/threat-research">
                    <span>FortiGuard Labs Threat Research</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/industry-trends">
                    <span>Industry Trends</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/partners">
                    <span>Partners</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/customer-stories">
                    <span>Customer Stories</span>
                </a>
            </li>
        
            <li class="m-nav-item">
                <a class="b2-navigation__list-item false" href="/blog/psirt-blogs">
                    <span>PSIRT Blogs</span>
                </a>
            </li>
        
        
        
            <li>
                <a class="b2-navigation__list-item false" href="/blog/ciso-collective">
                    <span>CISO Collective</span>
                </a>
            </li>
        
    </ul>


    

</div>
</div>

    <div id="blog-site-search" class="b1-header__search" aria-expanded="false"><div class="b3-searchbox">


<form class="b3-searchbox__form" action="/blog/search" method="get">
    <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs"/>
    <button class="b3-searchbox__icon" aria-label="Search" type="submit">
        
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z" fill="#fff">
        </path>
    </svg>

    </button>
</form>


    

</div>
</div>

    <button class="b1-header__search-toggle" aria-controls="blog-site-search" aria-label="Search">
        
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z">
        </path>
    </svg>

        <div class="b1-header__search-toggle-close">
            <span class="b1-header__search-toggle-close-line"></span>
            <span class="b1-header__search-toggle-close-line"></span>
        </div>
    </button>

    <div class="b1-header__nav-toggle" aria-hidden="true">
        <span class="b1-header__nav-toggle-line"></span>
        <span class="b1-header__nav-toggle-line"></span>
        <span class="b1-header__nav-toggle-line"></span>
    </div>
</header>

    

</div>
<section class="b4-hero aem-GridColumn aem-GridColumn--default--12">



<div class="b4-hero__container" style="background-image:url(/content/dam/fortinet-blog/article-images/DDOS-HERO-19.jpg);">
    <img class="ratio" alt="Condi DDoS Botnet Spreads via TP-Link&#39;s CVE-2023-1389 | FortiGuard Labs" aria-hidden="true" src=""/>
    <div class="b4-hero__text text-container">
        <p data-ly-test class="b4-hero__kicker">FortiGuard Labs Threat Research</p>
        
        
        <h1 class="b4-hero__headline">Condi DDoS Botnet Spreads via TP-Link&#39;s CVE-2023-1389</h1>
        
    </div>
</div>
</section>
<section class="b15-blog-meta aem-GridColumn aem-GridColumn--default--12">

<div class="b15-blog-meta__container text-container">
    <span>By </span>

    <span class="b15-blog-meta__author">

        
					

                        

                                  
                                      
                                            
                                          
                                              <a href="/blog/search?author=Joie+Salvio">Joie Salvio</a> and
                                          
                                           
                                      
                                  
                          

                                  
                                      
                                            
                                              <a href="/blog/search?author=Roy+Tay">Roy Tay</a>
                                          
                                          
                                           
                                      
                                  
                          
                    
        
    </span>
    <span class="b15-blog-meta__">
        

              </span>



    <span class="b15-blog-meta__date"> | June 20, 2023</span>
</div>
</section>
<div class="responsivegrid aem-GridColumn aem-GridColumn--default--12">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="raw-import aem-GridColumn aem-GridColumn--default--12">
<div class="text-container"></div>
</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p><b>Affected platforms:</b> Linux<br />
<b>Impacted parties:</b> Any organization<br />
<b>Impact:</b> Remote attackers gain control of the vulnerable systems<br />
<b>Severity level: </b>Critical</p>
<p>FortiGuard Labs encountered recent samples of a <a href="https://www.fortinet.com/resources/cyberglossary/ddos-attack">DDoS</a>-as-a-service botnet calling itself Condi. It attempted to spread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to <a href="https://www.fortiguard.com/outbreak-alert/tp-link-archer-ax-21-command-injection">CVE-2023-1389</a>, which was disclosed in mid-March of this year. We have additionally observed an increasing number of Condi samples collected from our monitoring systems since the end of May 2023, indicating an active attempt to expand the botnet.</p>
<p>This blog details the capabilities of this botnet.</p>
<h2>Condi Botnet: Buy or Rent<br />
</h2>
<p>While pivoting from the Command and Control (C2) domain cdn2[.]duc3k[.]com in one of the malware samples, FortiGuard Labs researchers found a sibling domain admin[.]duc3k[.]com that previously displayed the message &quot;contact @zxcr9999 telegram”. A quick search revealed a Telegram channel, Condi Network, advertising a Condi botnet with capabilities matching those observed in our sample (Figure 1).</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389/_jcr_content/root/responsivegrid/image.img.png/1686942592683/screen-shot-2023-06-16-at-2.09.36-pm.png" alt="Screenshot of Figure 1: Advertisement for “private version” of Condi on Telegram"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 1: Advertisement for “private version” of Condi on Telegram</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code (Figure 2).</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389/_jcr_content/root/responsivegrid/image_274571952.img.png/1686942631671/screen-shot-2023-06-16-at-2.10.17-pm.png" alt="Screenshot of Figure 2: DDoS-as-a-Service and sale of malware source code"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 2: DDoS-as-a-Service and sale of malware source code</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>We provide a technical analysis of the ARM malware sample <i>509f5bb6bcc0f2da762847364f7c433d1179fb2b2f4828eefb30828c485a3084</i> in the following sections:</p>
<h2>Killing off the Competition</h2>
<p>This malware employs several techniques to keep itself running in an infected system. At the same time, it also prevents infections from other botnets by attempting to terminate their processes.</p>
<p>Typical to Mirai-based botnets, this malware cannot survive a system reboot. Because of this, it deletes the following binaries used to shut down or reboot the system.</p>
<ul>
<li>/usr/sbin/reboot</li>
<li>/usr/bin/reboot</li>
<li>/usr/sbin/shutdown</li>
<li>/usr/bin/shutdown</li>
<li>/usr/sbin/poweroff</li>
<li>/usr/bin/poweroff</li>
<li>/usr/sbin/halt</li>
<li>/usr/bin/halt</li>
</ul>
<p>It also reads the /proc/&lt;PID&gt;/status for each running process and compares the Name field to the following strings to kill any processes with matching names:</p>
<ul>
<li>/bin/busybox</li>
<li>/bin/systemd</li>
<li>/usr/bin</li>
<li>test</li>
<li>/tmp/condi</li>
<li>/tmp/zxcr9999</li>
<li>/tmp/condinetwork</li>
<li>/var/condibot</li>
<li>/var/zxcr9999</li>
<li>/var/CondiBot</li>
<li>/var/condinet</li>
<li>/bin/watchdog</li>
</ul>
<p>We assess that the developer intended to kill off older versions of Condi currently running on an infected device together with selected system processes. However, the implementation is flawed as the Name field only contains the executable names of processes and not their full paths.</p>
<p>Additionally, it kills any processes with binary filenames containing the following extensions commonly used by other botnets:</p>
<ul>
<li>x86</li>
<li>x86_64</li>
<li>arm</li>
<li>arm5</li>
<li>arm6</li>
<li>arm7</li>
<li>mips</li>
<li>mipsel</li>
<li>sh4</li>
<li>ppc</li>
</ul>
<p>It also generates a random string of at least ten characters from the custom alphanumeric character set &quot;lvrvup9w0zwi6nuqf0kilumln8ox5vgv@&quot; and attempts to kill any process with this string in its command line, however it is near certain this process will not exist. Which process the malware developer intended to terminate with this code is unclear.</p>
<p>Finally, it generates two numbers (one between 12 and 32, the other between 12 and 20) and kills any processes with a command line length matching either number. Killing off random processes based on their command line length is likely to wreak havoc and prevent the infected device from functioning correctly if the malware happens to terminate system processes.</p>
<h2>Botnet Propagation</h2>
<p>Unlike most DDoS botnets, this sample does not propagate by trying different credentials. Instead, it embeds a simple scanner modified from Mirai’s original Telnet scanner to scan for any public IPs with open ports 80 or 8080 (commonly used for HTTP servers) and then sends a hardcoded exploitation request (Figure 3) to download and execute a remote shell script at hxxp://cdn2[.]duc3k[.]com/t, which will infect the device with Condi if it is a vulnerable TP-Link Archer AX21 device.</p>
<p> </p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389/_jcr_content/root/responsivegrid/image_1027429483.img.png/1686942751148/screen-shot-2023-06-16-at-2.12.13-pm.png" alt="Screenshot of Figure 3: CVE-2023-1389 exploitation request"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 3: CVE-2023-1389 exploitation request</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>The remote shell script is typical of Mirai-based loaders that try to download and execute binaries of each architecture in turn (Figure 4). The first command-line argument provided to the malware binary, ”0days”, in this case, is referred to as “id” (“source” in the original Mirai code), which DDoS botnet operators commonly use to identify the method used to replicate the malware.</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389/_jcr_content/root/responsivegrid/image_1847336619.img.png/1686942795880/screen-shot-2023-06-16-at-2.13.00-pm.png" alt="Screenshot of Figure 4: Shell script downloader with “0days” source"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 4: Shell script downloader with “0days” source</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>While the sample we analyzed only contained the scanner for CVE-2023-1389, other Condi botnet samples were also seen exploiting other vulnerabilities to propagate. The publicly available source code for older versions also includes scanners for known vulnerabilities exploited by other Mirai variants.</p>
<p>We also observed shell scripts hosted on the same IP with different sources in the execution commands. Figure 5 shows a script with an “adb” source, which refers to Android Debug Bridge (ADB).</p>


</div>
<div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3">

    
        <noscript data-cmp-image="{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}">
            <img src="/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389/_jcr_content/root/responsivegrid/image_1017647553.img.png/1686942871527/screen-shot-2023-06-16-at-2.14.08-pm.png" alt="Screenshot of Figure 5: Shell script downloader with &#34;adb” source"/>
        </noscript>
    
    <span class="cmp-image--title">Figure 5: Shell script downloader with &#34;adb” source</span>


    

</div>
<div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12">
  <p>We found source code for an older version of Condi that scans for devices with <a href="https://www.fortiguard.com/encyclopedia/ips/46278/android-adb-debug-port-remote-access">an open Android Debug Bridge port</a> (TCP/5555), so it is possible that the botnet is currently being propagated via this means.</p>
<h2>C2 Protocol and Command List</h2>
<p>The binary protocol used by Condi to communicate with the C2 server is a modified version of that initially implemented in Mirai.</p>
<p>The initial registration packet sent by the bot to the C2 contains the bytes <i>\x33\x66\x99</i>, commonly associated with Moobot, another Mirai variant. These bytes are followed by a one-byte length of the “id”. In the case of Condi, &quot;id” defaults to “c” if none was specified, or in our case, of an infection via CVE-2023-1389, “0days”. This signals the C2 server that the malware is ready to receive commands.</p>
<p>The first three bytes of the C2 response indicate the command for the Condi bot:</p>
<p style="margin-left: 40.0px;">1.     <i>\x99\x66\x33</i>: Likely to check if the malware is still active, in which case the malware sends a packet to C2 with \x66\x99\x66\x04 followed by “ping”</p>
<p style="margin-left: 40.0px;">2.     <i>\x99\x66\x66</i>: Terminate the bot</p>
<p style="margin-left: 40.0px;">3.     <i>\x33\x66\x66</i>: Start the webserver for serving malware binaries</p>
<p style="margin-left: 40.0px;">4.     <i>\x33\x66\x33</i>: Update binaries served by the webserver</p>
<p style="margin-left: 40.0px;">5.     <i>\x33\x66\x99</i>: Send the webserver port. Malware responds with \x66\x99\x66 followed by a length of the next string and “CondiiNeett webserv:&lt;PORT&gt;&quot;</p>
<p style="margin-left: 40.0px;">6.     <i>\x66\x66\x99</i>: Sets an unused <i>lockdown</i> flag, which might indicate a feature in development.</p>
<p>Once it receives the<i> \x33\x66\x66</i> command used to start the webserver, this malware downloads bot binaries from a hardcoded IP and port. After that, it starts a basic HTTP server on a random port number above 1024 to host these binaries. GET, POST, and HEAD requests to this server for the <i>/arm</i>, <i>/arm7</i>, <i>/mips</i>, <i>/mipsel</i>, <i>/x86_64</i>, <i>/sh4</i>, <i>/ppc</i>, and <i>/m68k</i> URLs will serve these binaries if they were downloaded previously. This HTTP server masquerades as a legitimate Apache HTTP server by responding with the “Server: Apache” header when any URLs are requested.</p>
<p>From then on, the threat actor can issue the <i>\x33\x66\x33</i> command to download the latest binaries from the same hardcoded IP and port so that the webserver serves the most updated version of the malware.</p>
<p>If the first byte of the C2 response is not <i>\x33</i>, <i>\x66</i>, or <i>\x99</i>, the bot parses it as an attack command in the same way as Mirai.</p>
<p>Below is this sample's list of attack functions and a description of the implemented attack method.</p>
<ul>
<li><i>attack_tcp_syn</i>: Similar to Mirai’s TCP SYN flood</li>
<li><i>attack_tcp_ack</i>: Similar to Mirai’s TCP ACK flood</li>
<li><i>attack_tcp_socket</i>: TCP flood using 5000 threads against a single targeted IP</li>
<li><i>attack_tcp_thread</i>: TCP flood using 100 threads shared among targeted IPs</li>
<li><i>attack_tcp_bypass</i>: Similar to Mirai’s TCP STOMP flood</li>
<li><i>attack_udp_plain</i>: Similar to Mirai’s UDP PLAIN flood</li>
<li><i>attack_udp_thread</i>: Similar to <i>attack_udp_plain</i>, but uses two threads per target IP</li>
<li><i>attack_udp_smart</i>: Similar to <i>attack_udp_plain</i> with extra error handling for connection failures</li>
</ul>
<p>As the attack methods are consistent with the descriptions in the Telegram advertisement (Figure 1), this particular sample was likely built by the bot developer or someone with access to the malware source code.</p>
<p>This sample did not contain any HTTP attack methods observed in older Condi versions.</p>
<h2>Conclusion</h2>
<p>Malware campaigns, especially botnets, are always looking for ways to expand. Exploiting recently discovered (or published) vulnerabilities has always been one of their favored methods, as we highlighted above for the Condi botnet. Thus, it is strongly recommended to always apply the latest security patches and updates as soon as possible.</p>
<p>As always, FortiGuard Labs will continue to monitor these campaigns.</p>
<h2>Fortinet Protections</h2>
<p>Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiClient, and FortiEDR services, as follows:</p>
<p>The following (AV) signature detects the malware samples mentioned in this blog:</p>
<ul>
<li><b>Linux/Mirai.REAL!tr</b></li>
<li><b>Linux/Mirai.CDB!tr</b></li>
</ul>
<p>The FortiGuard AntiVirus service is supported by FortiGate, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.</p>
<p>The FortiGuard Web Filtering Service blocks the C2 servers and download URLs.</p>
<p>FortiGuard Labs provides IPS signatures against attacks exploiting the following vulnerability:</p>
<ul>
<li>CVE-2023-1389: <a href="https://www.fortiguard.com/encyclopedia/ips/52742">TP-Link.Archer.AX21.Unauthenticated.Command.Injection</a></li>
</ul>
<p>For a comprehensive list of protections from FortiGuard Labs for this vulnerability, please visit the <a href="https://www.fortiguard.com/outbreak-alert/tp-link-archer-ax-21-command-injection">Outbreak Alert</a> page for further details.</p>
<p>The <a href="https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions/ipreputation-antibot">FortiGuard IP Reputation and Anti-Botnet Security Service</a> proactively blocks these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.</p>
<p>If you believe this or any other cybersecurity threat has impacted your organization, please contact our <a href="https://www.fortinet.com/corporate/about-us/contact-us/experienced-a-breach">Global FortiGuard Incident Response Team</a>.</p>
<h2><span style="font-weight: normal;">IOCs</span></h2>
<h3><span style="font-weight: normal;">Files</span></h3>
<p>091d1aca4fcd399102610265a57f5a6016f06b1947f86382a2bf2a668912554f<br />
291e6383284d38f958fb90d56780536b03bcc321f1177713d3834495f64a3144<br />
449ad6e25b703b85fb0849a234cbb62770653e6518cf1584a94a52cca31b1190<br />
4e3fa5fa2dcc6328c71fed84c9d18dfdbd34f8688c6bee1526fd22ee1d749e5a<br />
509f5bb6bcc0f2da762847364f7c433d1179fb2b2f4828eefb30828c485a3084<br />
593e75b5809591469dbf57a7f76f93cb256471d89267c3800f855cabefe49315<br />
5e841db73f5faefe97e38c131433689cb2df6f024466081f26c07c4901fdf612<br />
cbff9c7b5eea051188cfd0c47bd7f5fe51983fba0b237f400522f22ab91d2772<br />
ccda8a68a412eb1bc468e82dda12eb9a7c9d186fabf0bbdc3f24cd0fb20458cc<br />
e7a4aae413d4742d9c0e25066997153b844789a1409fd0aecce8cc6868729a15<br />
f7fb5f3dc06aebcb56f7a9550b005c2c4fc6b2e2a50430d64389914f882d67cf</p>
<h3><span style="font-weight: normal;">Download URLs</span></h3>
<p>hxxp://85[.]217[.]144[.]35/arm<br />
hxxp://85[.]217[.]144[.]35/arm5<br />
hxxp://85[.]217[.]144[.]35/arm6<br />
hxxp://85[.]217[.]144[.]35/arm7<br />
hxxp://85[.]217[.]144[.]35/m68k<br />
hxxp://85[.]217[.]144[.]35/mips<br />
hxxp://85[.]217[.]144[.]35/mpsl<br />
hxxp://85[.]217[.]144[.]35/ppc<br />
hxxp://85[.]217[.]144[.]35/sh4<br />
hxxp://85[.]217[.]144[.]35/x86<br />
hxxp://85[.]217[.]144[.]35/x86_64<br />
hxxp://85[.]217[.]144[.]35/abc3.sh<br />
hxxp://cdn2[.]duc3k[.]com/t<br />
</p>
<h3><span style="font-weight: normal;">C2s</span><br />
</h3>
<p>85[.]217[.]144[.]35<br />
cdn2[.]duc3k[.]com</p>


</div>
<div class="raw-import aem-GridColumn aem-GridColumn--default--12">
<div class="text-container"><div id="om-b2dxtopzidsdt3fkzfsv-holder"></div></div>
</div>

    
</div>
</div>
<div class="b16-blog-tags aem-GridColumn aem-GridColumn--default--12">



  <div class="b16-blog-tags__container text-container" style="display:none">
    <span class="b16-blog-tags__headline">Tags:</span>
    <p class="b16-blog-tags__tag-links">
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=botnet">botnet</a>, 
    
      <a href="https://www.fortinet.com/blog/tags-search.html?tag=ddos-attacks">DDoS attacks</a>
    </p>
  </div>

</div>
<section class="b12-related aem-GridColumn aem-GridColumn--default--12">




<div class="b12-related__container text-container">
    

    
    
    <h3>Related Posts</h3>
    <div class="b12-related__posts">
        
        <a href="/blog/threat-research/ddos-for-hire-service-powered-by-bushido-botnet-" class="b12-related__post b12-related__post-0">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/bushido_botnet-/bush_013.png.thumb.319.319.png);">
                <img class="ratio" alt="DDoS-for-Hire Service Powered by Bushido Botnet " aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    FortiGuard Labs Threat Research
                </p>
                <h5 class="b12-related__title">DDoS-for-Hire Service Powered by Bushido Botnet </h5>
            </div>
        </a>
    
    
        
        <a href="/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet" class="b12-related__post b12-related__post-1">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/Enemybot-thumbnail.jpeg.thumb.319.319.png);">
                <img class="ratio" alt="Enemybot: A Look into Keksec&#39;s Latest DDoS Botnet" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    FortiGuard Labs Threat Research
                </p>
                <h5 class="b12-related__title">Enemybot: A Look into Keksec's Latest DDoS Botnet</h5>
            </div>
        </a>
    
    
        
        <a href="/blog/threat-research/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers" class="b12-related__post b12-related__post-2">
            <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers/mirai_bot_0.png.thumb.319.319.png);">
                <img class="ratio" alt="OMG: Mirai-based Bot Turns IoT Devices into Proxy Servers" aria-hidden="true" src=""/>
            </div>

            <div class="b12-related__text">
                <p class="b12-related__category">
                    FortiGuard Labs Threat Research
                </p>
                <h5 class="b12-related__title">OMG: Mirai-based Bot Turns IoT Devices into Proxy Servers</h5>
            </div>
        </a>
    
    </div>
</div>


</section>
<div class="b13-comment-section aem-GridColumn aem-GridColumn--default--12">


<div class="b13-comment-section__container text-container">


  <!--data-sly-test="true - got replaced with false to disable the discussion event-->
  
</div>
</div>
<div class="b6-footer aem-GridColumn aem-GridColumn--default--12">


  

  <div class="b6-footer__container text-container">
    <div class="b6-footer__footer-info">
      <div class="b6-footer__logo">
        <a href="https://www.fortinet.com" target="_blank">
          <img src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet"/>
        </a>
      </div>
      <div class="b6-footer__social-footer">
        <ul>
          
            <li class="social-icon facebook">
              <a href="https://www.facebook.com/fortinet" target="_blank">
                
    <svg viewBox="0 0 9 18" xmlns="http://www.w3.org/2000/svg">
        <path d="M8.934.758v3.385H7.24c-.583 0-.845.685-.845 1.27v2.114h2.54v3.385h-2.54v6.77H3.01v-6.77H.472V7.527H3.01V4.143c0-1.87 1.516-3.385 3.385-3.385h2.54z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon twitter">
              <a href="https://www.twitter.com/fortinet" target="_blank">
                
    <svg viewBox="0 0 19 15" xmlns="http://www.w3.org/2000/svg">
        <path d="M18.17 2.296c-.652.296-1.354.49-2.082.584.745-.448 1.32-1.16 1.59-2.014-.702.423-1.48.72-2.3.89-.67-.73-1.61-1.152-2.675-1.152-1.988 0-3.613 1.625-3.613 3.63 0 .288.034.567.093.83-3.012-.153-5.694-1.6-7.48-3.792-.313.534-.49 1.16-.49 1.82 0 1.26.634 2.377 1.616 3.012-.61 0-1.16-.17-1.65-.423v.03c0 1.76 1.25 3.237 2.91 3.567-.31.084-.63.127-.96.127-.23 0-.46-.026-.68-.07.455 1.43 1.784 2.497 3.383 2.52-1.235.984-2.8 1.56-4.51 1.56-.288 0-.575-.018-.863-.05 1.61 1.03 3.52 1.632 5.57 1.632 6.667 0 10.33-5.534 10.33-10.332 0-.16 0-.313-.007-.474.71-.508 1.32-1.15 1.81-1.888z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon youtube">
              <a href="https://www.youtube.com/channel/UCJHo4AuVomwMRzgkA5DQEOA?sub_confirmation=1" target="_blank">
                
    <svg viewBox="0 0 18 14" xmlns="http://www.w3.org/2000/svg">
        <path d="M7.472 11.027V3.412L12.55 7.22l-5.08 3.806zM15.934.787C15.426.62 12.294.45 9.164.45c-3.13 0-6.26.16-6.77.322-1.32.44-1.69 3.4-1.69 6.447 0 3.03.37 6 1.69 6.43.51.17 3.64.33 6.77.33 3.13 0 6.262-.16 6.77-.33 1.32-.43 1.692-3.4 1.692-6.44 0-3.047-.372-6-1.692-6.43z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon linkedin">
              <a href="https://www.linkedin.com/company/fortinet" target="_blank">
                
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
        <path d="M15.934 15.835H12.55v-5.712c0-.897-1.008-1.64-1.905-1.64s-1.48.743-1.48 1.64v5.712H5.78V5.68h3.385v1.693c.558-.905 1.996-1.49 2.96-1.49 2.116 0 3.81 1.727 3.81 3.817v6.135zm-11.846 0H.703V5.68h3.385v10.155zM2.395.605c.935 0 1.693.757 1.693 1.69 0 .936-.758 1.694-1.693 1.694S.703 3.23.703 2.29C.703 1.36 1.46.6 2.395.6z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
            <li class="social-icon instagram">
              <a href="https://www.instagram.com/fortinet/" target="_blank">
                
    <svg viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg">
        <path class="st0" d="M16,3.7c4,0,4.5,0,6.1,0.1c1.5,0.1,2.3,0.3,2.8,0.5c0.7,0.3,1.2,0.6,1.7,1.1c0.5,0.5,0.8,1,1.1,1.7
          c0.2,0.5,0.4,1.3,0.5,2.8c0.1,1.6,0.1,2.1,0.1,6.1s0,4.5-0.1,6.1c-0.1,1.5-0.3,2.3-0.5,2.8c-0.3,0.7-0.6,1.2-1.1,1.7
          c-0.5,0.5-1,0.8-1.7,1.1c-0.5,0.2-1.3,0.4-2.8,0.5c-1.6,0.1-2.1,0.1-6.1,0.1s-4.5,0-6.1-0.1c-1.5-0.1-2.3-0.3-2.8-0.5
          c-0.7-0.3-1.2-0.6-1.7-1.1c-0.5-0.5-0.8-1-1.1-1.7c-0.2-0.5-0.4-1.3-0.5-2.8C3.7,20.5,3.7,20,3.7,16s0-4.5,0.1-6.1
          c0.1-1.5,0.3-2.3,0.5-2.8C4.6,6.5,4.9,6,5.4,5.4c0.5-0.5,1-0.8,1.7-1.1c0.5-0.2,1.3-0.4,2.8-0.5C11.5,3.7,12,3.7,16,3.7 M16,1
          c-4.1,0-4.6,0-6.2,0.1C8.2,1.2,7.1,1.4,6.2,1.8c-1,0.4-1.8,0.9-2.7,1.7C2.7,4.4,2.2,5.2,1.8,6.2c-0.4,1-0.6,2-0.7,3.6
          C1,11.4,1,11.9,1,16c0,4.1,0,4.6,0.1,6.2c0.1,1.6,0.3,2.7,0.7,3.6c0.4,1,0.9,1.8,1.7,2.7c0.8,0.8,1.7,1.3,2.7,1.7
          c1,0.4,2,0.6,3.6,0.7C11.4,31,11.9,31,16,31s4.6,0,6.2-0.1c1.6-0.1,2.7-0.3,3.6-0.7c1-0.4,1.8-0.9,2.7-1.7c0.8-0.8,1.3-1.7,1.7-2.7
          c0.4-1,0.6-2,0.7-3.6C31,20.6,31,20.1,31,16s0-4.6-0.1-6.2c-0.1-1.6-0.3-2.7-0.7-3.6c-0.4-1-0.9-1.8-1.7-2.7
          c-0.8-0.8-1.7-1.3-2.7-1.7c-1-0.4-2-0.6-3.6-0.7C20.6,1,20.1,1,16,1L16,1z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
        <path class="st0" d="M16,8.3c-4.3,0-7.7,3.4-7.7,7.7s3.4,7.7,7.7,7.7s7.7-3.4,7.7-7.7S20.3,8.3,16,8.3z M16,21c-2.8,0-5-2.2-5-5
          s2.2-5,5-5s5,2.2,5,5S18.8,21,16,21z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
        <circle class="st0" cx="24" cy="8" r="1.8" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></circle>
    </svg>

              </a>
            </li>
          
            <li class="social-icon rss">
              <a href="https://www.fortinet.com/rss-feeds.html" target="_blank">
                
    <svg viewBox="0 0 18 18" xmlns="http://www.w3.org/2000/svg">
        <path d="M3.072 17.68c-1.27 0-2.37-1.1-2.37-2.368 0-1.27 1.1-2.37 2.37-2.37s2.37 1.1 2.37 2.37-1.016 2.37-2.37 2.37zM.702.76v2.538c7.955 0 14.386 6.43 14.386 14.385h2.538C17.626 8.336 10.05.76.703.76zm0 5.162V8.46c5.078 0 9.224 4.146 9.224 9.223h2.54c0-6.514-5.248-11.76-11.763-11.76z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path>
    </svg>

              </a>
            </li>
          
        </ul>
      </div>
    </div>
    <div class="b6-footer__footer-links">
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">News &amp; Articles</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/newsroom/press-releases.html" target="_self">News Releases</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/newsroom/news.html" target="_blank">News Articles</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Security Research</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html" target="_self">Threat Research</a>
              </li>
            
              <li>
                <a href="https://fortiguard.com/" target="_self">FortiGuard Labs</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-map.html" target="_self">Threat Map</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/solutions/ransomware.html" target="_self">Ransomware Prevention</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Connect With Us</h4>
          <ul>
            
              <li>
                <a href="https://community.fortinet.com/" target="_blank">Fortinet Community</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/partners/partner-program/become-a-fortinet-partner" target="_blank">Partner Portal</a>
              </li>
            
              <li>
                <a href="https://investor.fortinet.com/" target="_blank">Investor Relations</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/product-certifications" target="_blank">Product Certifications</a>
              </li>
            
          </ul>
        </div>
      
        <div class="b6-footer__footer-links-column">
          <h4 class="b6-footer__header">Company</h4>
          <ul>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/about-us" target="_blank">About Us</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/executive-management" target="_self">Exec Mgmt</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/careers" target="_self">Careers</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/nse-training" target="_self">Training</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/events" target="_self">Events</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/industry-awards" target="_self">Industry Awards</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/corporate/about-us/corporate-social-responsibility" target="_self">Social Responsibility</a>
              </li>
            
              <li>
                <a href="/resources/cyberglossary" target="_self">CyberGlossary</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/sitemap" target="_self">Sitemap</a>
              </li>
            
              <li>
                <a href="https://www.fortinet.com/blog/blog-sitemap" target="_self">Blog Sitemap</a>
              </li>
            
          </ul>
        </div>
      
      <div class="b6-footer__contact-info">
        <h4 class="b6-footer__header">Contact Us</h4>
        <ul>
          <li>(866) 868-3678</li>
        </ul>
      </div>
    </div>
    <div class="b6-footer__copyright">
      <div class="b6-footer__copyright-info">
        <p class="b6-footer__copyright-text">Copyright © 2023 Fortinet, Inc. All Rights Reserved</p>
        
          <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/legal.html" target="_blank">Terms of Services</a>
        
          <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/privacy.html" target="_blank">Privacy Policy</a>
        
        <span class="ot-ftnt-cookie-settings"> | <a href="#" onclick="Optanon.ToggleInfoDisplay()">Cookie Settings</a></span>
      </div>
    </div>
  </div>

<!-- Launch COnfiguration -->


<!-- END Launch COnfiguration --></div>

    
</div>
</div>


    
    
    

    
    
<script type="text/javascript" src="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.js"></script>





    



    
        
            <!-- BE IXF: The following <div> block needs to be placed in the location where the link block will be displayed
                        BE IXF: For your website, the location is above/below ...-->
            <div class="brightedge-wrapper">
                <div class="wrap footerwrap">
                    <div class="be-ix-link-block be-ix-link-block-blog">
                        <div class="be-related-link-container"><div class="be-label">Also of Interest</div><ul class="be-list"><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/ciso-collective/top-security-threats-for-government">DOJ &amp; Top Security Threats</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/industry-trends/paying-ransomware">Pay Ransomware Settlements?</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/business-and-technology/why-ztna-in-the-cloud-isnt-enough">Why ZTNA in the Cloud Isn&#39;t Enough</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/business-and-technology/worlds-number-one-network-firewall-delivers-powerful-networking-solutions">Converging NOC &amp; SOC starts with FortiGate</a></li></ul></div>
<!--
   be_sdkms_pub:link-block; link-block_1.0.0.0; bodystr;
   be_sdkms_date_modified:pn_tstr:Fri Jun 09 04:57:13 PDT 2023; pn_epoch:1686311833280;
   be_sdkms_timer: 0;
-->

                        
                    </div>
                </div></div>
         <!-- Condition close for mode check -->
    
    

    </body>
    </html>
